Windows 8 Not Immune to Ransomware

Cybercriminals have for some time now recognized that ransomware can be a highly profitable endeavor. This has led to a significant increase of different ransomware in the wild with no sign of it leaving the threat landscape anytime soon.

So, how effective is ransomware on Windows 8 compared to other operating systems? To answer this question, Symantec ran several prevalent ransomware samples currently found in the wild in a default Windows 8 environment. While some samples ran poorly on Windows 8, it did not take long to find a ransomware variant (Trojan.Ransomlock.U) that successfully locked a Windows 8 system, effectively holding it to ransom.
 

Figure. Ransomware-locked Windows 8 system
 

The Trojan.Ransomlock.U variant uses the geolocation of the compromised system to serve localized ransomware screens in the appropriate language. While the ransonware running on Windows 8 correctly identified our location, the cybercriminals in this case must not have realized that English is the main language spoken in Ireland (less than 15 percent of the population is actually able to read Irish language). Their ingenuity in this case has lowered the chance of the ransom attempt being successful.

As more users adopt Windows 8, Symantec expects to see more malware targeting this new environment. Symantec will continue to actively monitor the threat landscape to ensure protection against any new threats.

For a detailed investigation into ransomware variants, please see our ransomware whitepaper.
 


 

If you are affected by any ransomware scam—do not pay the ransom. Instead, follow our removal steps and watch our video for additional help.

Christmas Would Not Text You That Early

Even with mobile phones now being an essential part of our lives, I am still not used to receiving text message spam. Hence, I was kind of excited when I recently received one on my private number. The claim was that I had won something from Apple. The spam was sent from a number in Virginia, +1 540 514 [REMOVED], and it looks like the scam is currently run in a few different countries.
 

Figure 1. Swiss German version of scam text message
 

If you click on the link, which you obviously should not do, you will end up at a site that tells you that your gift is a brand new iPhone 5. All you have to do is enter the winning code that you received in the text message. The text is badly written with several spelling errors, just like in the old spam email days. After a user enters a code, he or she will be forwarded through an advertisement network to some other marketing site, generating some profit for the affiliate. Of course, there is no free gift for the user.

In the image folder of the Web server, we can see evidence suggesting there may be other scams, offering other prizes such as gift cards.
 

Figure 2. Belgian version of scam site
 

I do not know where the spammers obtained my phone number, but it is evident from the public server logs that there are a few hundred other people who have received the same message. The link itself contains your phone number; hence clicking on the link confirms your number and puts you at risk of receiving more spam in the future. In addition, your browser request—to some extent—will also send your mobile phone brand through the browser user agent. This data could then be used in the future for further attacks. Luckily, in this scam no drive-by-download attack is used. From the methods used it looks like it is the same group that was also behind some social networking scam messages earlier this year.

As always, do not respond to such spam messages.